The Sheikh, the Businessman and a Hacking Mystery on 3 Continents
A case that began with a feud in the United Arab Emirates, stretched from the U.S. to India and is now playing out in the British courts offers a rare glimpse into the anatomy of a hack-and-leak operation.,
For decades, Farhad Azima navigated the shadowlands where business blends with intrigue and the limits of the law. He popped up in the Iran-contra affair, was named in a Clinton-era fund-raising scandal and owned airlines that flew weapons into war zones.
Mr. Azima, an Iranian American living in Kansas City, Mo., was not accused of wrongdoing in any of those episodes but is now entangled in a mystery involving another underground industry — hacking. Several years ago, hundreds of his emails, text messages and documents were stolen and loaded onto obscure corners of the internet. In short order, the records publicly emerged in news accounts and a multimillion-dollar lawsuit against him by a little-known emirate.
The tactic, called a “hack and dump” or “hack and leak,” is best known for its use against Hillary Clinton during the 2016 presidential campaign. Along with upending politics, the operations are creating challenges for law firms, news organizations and companies throughout the business world.
Recently, as reporters at The Financial Times were investigating alleged fraud at Wirecard, a payment processor, emails written by one of the journalists were posted on the web. Data stolen from a number of companies, such as Sony and Intel, as well as state and local government agencies, have also been dumped online.
Meanwhile, a cybersecurity watchdog, Citizen Lab, reported last year that an Indian company called BellTroX ran a “hacking for hire” operation for hundreds of clients seeking to gather information about activists, journalists and people involved in litigation. The name of BellTroX’s owner, Sumit Gupta, had surfaced before, when he was indicted on U.S. hacking charges in 2015 alongside two American private investigators. Mr. Gupta, who has denied any wrongdoing, remains a fugitive.
“You can’t have a business that does this without a demand for it,” said Mark Califano, a former federal prosecutor who has worked in the corporate investigations industry.
The case of Mr. Azima offers an unusually well-documented anatomy of hack-and-dump operations, showcasing their international complexity and the difficulties of identifying those who run and pay for them. The case’s reach touches on the United States, Britain, India and Ras al Khaymah, a tiny emirate ruled by a sheikh near Dubai.
In 2007, Mr. Azima entered into a joint business venture with the emirate’s investment fund. But by a decade later, that relationship had soured.
Lawyers and private investigators working for the emirate’s fund said in 2016 that they found emails and records belonging to Mr. Azima online, and that these showed he had misled it. Mr. Azima denied the allegations, but his hacked records were used against him last year during a trial in London, where a judge found him liable and ordered him to pay the fund $4.2 million in damages.
The judge questioned how the documents had come to light, however, and Mr. Azima believed that the beneficiary of the hack, the emirate, was behind it.
Then an unexpected call to one of his lawyers started a new investigation into its possible origins — one that led to BellTroX, the alleged hacking company, and another firm in India. The script has flipped, and a British judge recently allowed Mr. Azima to file a hacking-related lawsuit against the emirate’s fund, a major American law firm and others.
All those named in the actions have denied any involvement in the theft of Mr. Azima’s records, and have insisted that his documents were found unexpectedly on the internet after unknown hackers released them there.
A Tiny Emirate
Ras al Khaymah, the northernmost of seven emirates composing the United Arab Emirates, is only a 90-minute drive from the shimmering high-rises of Dubai, but its landscape consists largely of sand dunes and date farms. Unlike its neighbors, the emirate derives its wealth not from oil but from mineral deposits, and it turns these into ceramics used in home fixtures under the international brand RAK.
The emirate’s fund first became involved with Mr. Azima in 2007, when it agreed to back his plan to develop a facility in Ras al Khaymah that would train airline pilots. His association with the fund’s head would lead to his current problems.
The authorities in Ras al Khaymah would later accuse the executive, Khater Massaad, of misappropriating $2 billion. And in 2014, the fund hired a lawyer at the London office of Dechert, a large law firm based in Philadelphia, to start an investigation of Mr. Massaad, who denied any wrongdoing. (He would later be convicted by an emirate court in absentia.)
In Ras al Khaymah, Mr. Azima’s continuing ties to Mr. Massaad raised concerns. The emirate’s ruler, Sheikh Saud bin Saqr Al Qasimi, instructed an associate in 2015 to “go after” Mr. Azima, court filings show, after a private investigator reported that Mr. Azima was planning a retaliatory media campaign on Mr. Massaad’s behalf to depict the emirate as an abuser of human rights. Mr. Azima has also claimed that the Dechert lawyer warned him in 2016 that he could become “collateral damage” if he failed to persuade Mr. Massaad to cooperate.
That lawyer, Neil Gerrard, who retired last year from the firm, has disputed that account. “I meant that once litigation is started or a prosecutor takes over, these things get a life of their own,” he testified as part of last year’s lawsuit in London.
Whatever occurred at the heated meeting, Mr. Azima’s accounts apparently had already been hacked. Blog posts accusing him of fraud appeared a few weeks afterward, and his emails and records emerged on file-sharing sites.
Soon, Dechert sent Mr. Azima a letter on the fund’s behalf stating that documents on “publicly available internet sources” showed that he had misled his investors. The letter claimed he had made fraudulent representations during talks to settle his ventures with the fund, including the pilot-training facility, which never became operational. Separately, it accused him of bribing Mr. Massaad to get a commission on a hotel sale.
Mr. Azima was told to repay the fund millions of dollars. He refused, and litigation began in London, where he and the fund had agreed to settle their disputes.
‘The Poisonous Tree’
Court policies on the use of hacked documents vary among countries. Judges in the United States tend to frown on the practice in lawsuits, while in Britain, where Mr. Azima was sued, there is no rule against the introduction of stolen records, so long as a party to the case is not involved in the theft.
- With Apple’s latest mobile software update, we can decide whether apps monitor and share our activities with others. Here’s what to know.
- A little maintenance on your devices and accounts can go a long way in maintaining your security against outside parties’ unwanted attempts to access your data. Here’s a guide to the few simple changes you can make to protect yourself and your information online.
- Ever considered a password manager? You should.
- There are also many ways to brush away the tracks you leave on the internet.
“In the U.S., there is the concept of the fruit of the poisonous tree,” said Polly Sprenger, a lawyer in London. “In English litigation, we don’t have it.”
A spokeswoman for Dechert did not respond to emails inquiring about the firm’s policies on handling hacked records, but Mr. Gerrard has testified that Mr. Azima’s documents were central to the case against him. Both the law firm and Mr. Gerrard have rejected any suggestion they were aware of efforts to hack the businessman.
Outside court, illegally obtained records often surface in the media, and news organizations have struggled in recent years with how to handle them.
In 2014, when emails from Sony Pictures were hacked and leaked in retaliation for “The Interview,” a spoof about a plot to assassinate North Korea’s leader, Kim Jong-un, the company threatened legal action against media outlets. Some journalists declined to write about the emails, viewing the hack as a foreign intelligence operation. But others saw the documents as newsworthy.
Before the 2020 elections, some newsrooms, including The Associated Press and The New York Times, distributed guidelines advising reporters to exercise caution in deciding whether to publicize hacked material. The editor of The Washington Post, Martin Baron, told his staff that articles had to emphasize “what we know — or don’t know — about the source of the information.”
Mr. Azima’s case contained a special twist where the media was concerned. Among the records that emerged in 2016 were messages between him and a reporter at The Wall Street Journal, Jay Solomon, who had used the businessman as a source.
That year, after the tense meeting between Mr. Azima and Mr. Gerrard, a blog post linking to hacked records appeared under the title “Fraud Between Farhad Azima and Jay Solomon.” Mr. Gerrard later said Mr. Azima had invoked the reporter at the meeting as someone who might write about alleged human rights abuses in Ras al Khaymah.
Mr. Solomon has said Mr. Azima never mentioned the issue to him. But in late 2016, someone was shopping hacked messages between the two men to the news media, including ones suggesting that they may have discussed a possible venture involving weapons sales.
Initially, Mr. Solomon was able to assure his superiors at The Journal that the documents were misleading. But in mid-2017, The A.P. published two articles relying on a large cache of Mr. Azima’s emails and records that the wire service said it had “obtained.” One article reported that The Journal had fired Mr. Solomon after it provided the newspaper with emails about his possible business ties to Mr. Azima.
Mr. Solomon, later writing for The Columbia Journalism Review, acknowledged failing to tell his editors about all his interactions with Mr. Azima, including time he had spent on the businessman’s yacht. But he insisted that he had never discussed or engaged in any commercial ventures with Mr. Azima.
“Somebody manipulated and weaponized those emails to cast me in the worst light,” Mr. Solomon said in a recent interview.
In an email, Ted Bridis, a former editor at The A.P. who oversaw the articles, defended the decision not to disclose more about how it had “obtained” the hacked emails, saying it did not discuss sources.
Kelly McBride, a media ethics expert at the Poynter Institute, a journalism research and training organization, said she believed that news organizations had a duty to reveal the motives of those providing them with stolen documents.
“I think your moral obligation goes even further than transparency,” Ms. McBride said. “I think you have an obligation to not play into dirty tricks or dirty politics or dark forces.”
A Tie to India
Gurugram, a high-tech hub 20 miles outside New Delhi, is a mix of potholed roads and gleaming office towers that house companies like Facebook, Google and Twitter. On the fifth floor of one pale green building is the small office of CyberRoot Risk Advisory, a local firm that Mr. Azima recently accused in a London court filing of having ties to BellTroX, the alleged hacking-for-hire company, and of playing a role in the theft of his records.
India is home to a growing hacking industry. “This is the dark underbelly of India’s I.T. sector,” said Salman Waris, a lawyer in New Delhi, who said some of his clients had become targets.
During last year’s trial of Mr. Azima, the possible role of Indian firms had yet to emerge. And those working on behalf of Ras al Khaymah testified that their discovery of his documents had been a surprise.
One private investigator, Stuart Page, said he was alerted in August 2016 about one of the blog posts by an Israeli Palestinian journalist whom he had asked to monitor the internet for information about Mr. Azima and others. He said he had notified others, including Mr. Gerrard, who testified that he had contacted another private detective involved in the case. That detective, Nicholas Del Rosso, said he had then hired an internet security firm that downloaded the files.
Though the judge questioned the credibility of that story, his ruling against Mr. Azima should have ended the case. But soon, a reporter with Reuters contacted one of his lawyers and said the news organization had records indicating that BellTroX had sent him phishing emails.
Mr. Azima, Mr. Massaad, their lawyers and other associates would uncover over 150 phishing emails, sent to them between 2015 and 2017, that bore the fingerprints of BellTroX, court filings state.
Mr. Azima’s lawyers then hired a private investigator. That investigator, Jonas Rey, stated in an affidavit filed in Mr. Azima’s London lawsuit that an unnamed associate in India put him in touch with a computer specialist who used to work at CyberRoot.
According to the investigator’s affidavit, that ex-employee, Vikash Kumar Pandey, told him that CyberRoot had used BellTroX’s hacking infrastructure to send phishing emails because it lacked the technical ability to do so. Mr. Pandey also allegedly said Mr. Del Rosso, the private detective, had directed CyberRoot’s actions.
Records show that Mr. Del Rosso’s firm paid CyberRoot over $1 million between 2015 and 2017. Last year, Mr. Azima sued Mr. Del Rosso in a federal court in North Carolina, accusing him of hacking.
Mr. Del Rosso, who did not respond to emails seeking comment, has rejected the allegation and said in court papers that all his payments to CyberRoot were for legitimate services. He added that he had never heard of Mr. Pandey. The other investigator, Mr. Page, who did not respond to requests for comment, has denied any role in hacking.
A History of Trouble
The lawsuit filed by Mr. Azima is not expected to go to trial in London until next year, and Mr. Pandey, the computer specialist, is unlikely to testify.
In his affidavit, Mr. Rey, Mr. Azima’s investigator, said that Mr. Pandey had told him he faced legal problems, including an accusation of manslaughter, and that their conversations about hacking had ended after Mr. Pandey notified CyberRoot about them. Mr. Pandey has provided CyberRoot with a document indicating that one of Mr. Azima’s lawyers promised him a well-paying consulting deal if he provided information, court filings state. Mr. Pandey could not be reached for comment.
A Times reporter who visited the offices of CyberRoot in Gurugram was told by a receptionist to submit questions in writing to the company’s executives. They did not respond to subsequent emails.
The current round of litigation is not the first time the emirate’s name has come up in connection with cyberwarfare.
A decade ago, a lobbying firm working for the half brother of Sheikh Saud, his political opponent, alerted the Justice Department that its computers had been hacked, according to a published account. More recently, The Smoking Gun, a news website, was the target of a denial-of-service attack aimed at an article it published years earlier about the arrest of the emirate’s ruler in Minnesota on charges that he sexually assaulted a hotel employee. (The charges were dropped.)
“We never had that kind of attack before,” said William Bastone, the website’s editor. “And we have never had one since.”
A spokesman for the Ras al Khaymah fund did not respond when asked about those episodes. In a statement, he said that the new lawsuit against the fund by Mr. Azima was unfounded and had no relation to the findings of fraud against him.
Ras al Khaymah “is committed to bringing to justice those who have misappropriated public funds from the emirate and its people,” that statement said.
As for Mr. Azima, he is confident that he will soon know the identity of those behind the hack. “They hunted me and other perceived adversaries,” he said in a statement. “But now the truth is hunting them.”